lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <7FCE473840E74747AE1E65C2E53E3DE721271D@ENTPCMAIL1.pinellascounty-fl.gov>
Date: Wed, 29 Jun 2005 13:34:38 -0400
From: "Ginski, Richard J." <rginski@...pinellas.fl.us>
To: <bugtraq@...urityfocus.com>
Subject: Oracle Question  Slightly OT


Forgive me for this being slightly off topic.  We've checked Oracle's
site, including posting to their "Technology Network", and have yet to
find a best practices document for securing Oracle databases. Am I
missing something? ... Or should something this obvious be available on
Oracle's site? Can anyone provide links to such information?

-----Original Message-----
From: Joshua Wright [mailto:jwright@...borg.com] 
Sent: Wednesday, June 29, 2005 10:16 AM
To: bugtraq@...urityfocus.com
Subject: Auditing Privilged Oracle Passwords - hashattack

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've put together a tool that can be used to build a table of Oracle
password hashes from a dictionary file for a designated username.
Hashes are calculated by creating a user account similar to the target
account to be audited and repeatedly changing the password with "ALTER
USER" for each dictionary word, storing the hash for each password in a
table.

Once the table of hashes is built, a simple SELECT can be issued to
determine if the password hash for a target user is a simple dictionary
word:

SQL> select h.username, h.password, h.hash
  2  from hashattack h, dba_users d
  3  where d.password = h.hash and h.username = 'SYS';

USERNAME   PASSWORD             HASH
- ---------- -------------------- --------------------
SYS        KILTPLEAT            2BBDC477FFB28563

SQL>


Written in PL/SQL, available at
http://802.11ninja.net/code/hashattack-0.1.tgz,
http://802.11ninja.net/code/hashattack-0.1.tgz.asc

Comments, questions, concerns welcome.

- -Josh
- --
- -Joshua Wright
jwright@...borg.com

2005-2006 pgpkey: http://802.11ninja.net/pgpkey.htm
fingerprint: F00E 7A42 8375 0C55 964F E5A4 4D2F 22F6 3658 A4BF

Today I stumbled across the world's largest hotspot.  The SSID is
"linksys".
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCwq0QTS8i9jZYpL8RApOqAKCnTqrAwCaqKT3KALl0b8CDRo9I0QCfRKnB
LcY+tDFFcNAeMbsIg7YWe88=
=L/x5
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ